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TITT E OF TPF INVENTION 

AN OVERLAY NETWORK FOR TRACKING 
DENIAL-OF-SERVICE FLOODS 
IN UNRELIABLE DATAGRAM DELIVERY NETWORKS 

WAf-KfiKffiJND THE INVENTION 

Field of the Invention : 

This invention relates to data communications, and more specifically relates to network 

security. 

Discussion the. Background 

The phenomenal growth of the Internet has presented Internet Service Providers (ISPs) 
with the continual challenge of responding to the millions of users' demand for reliable, fast and 
dependable access to this global resource. Satisfying these demands is imperative to maintaining 
a competitive edge in an intensely competitive market. To further intensify this challenge, ISPs 
and their customers frequently are victims of various types of packet flood attacks that negatively 

impacts service availability. 

Packet flood attacks are atype of denial-of-service (DoS) attack. A DoS attack is 
initiated by an attacker to deliberately interfere or disrupt a subscriber's datagram delivery 
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f . of _ S ervice attacks in that a flood 

—■ '"-^ r— — — - 

Delivery Service Ke W o, k s uttltzrng IP <W~ . 

n f, „d "SMURF" (or Directed Broadcast Amphfied ICMP 
Message Protocol) flood, SMUItt and TCP (Transmission 

A « UDP (User Datagram Protocol) Echo Flood), and TCP ( 
(orDir ec,edBroadcastUDP(U 

ControlProtocoDSYNflood. T,ese attacks effect^ P _ a vjctim host to free*, 

the effects of these attacks may cause a victim 
^elntemeninsomeci—ce.theeffects 

wwit In addition to being a nuisance, a system i 
^rebyreouiringasystemreboo,^ ^^^H 
lostot da,ai t precan..o^ereno,talten.nadva»ce.Becau 

«P needs an effective mechanism to prevent or rntmm. 
has on its subscribers, an ISP needs an 

oti er W esofDoSa,ac k s>ea tt a*ercanfor 8 e fh eso U rceaddressofthe 

Like many other types ui „f fnr oed 
l1j . „ f the attack Finding the source of forged 

- TWause the source addresses oi 
.ere^edtode^enresource-Becaus ^ 

, , it is n on-trivial to determine the true ongi 
a , m „s,a,wavsfor g ed,,t,sno 

.racRingdov-nthe source of a flood-type dema,-of serv 

imp „ssib.ein„e W o*s*a,mee«*esecn,eria. 



attacks. 



FigU re 9 shows a conventions, high-speed network of an rnteme, Service Provide, An 
1S p net wor k9 0 1 inc,„ae S an Umb ero f rou,ers,o f w fe h= dg ero,ers,03, 9 0 5 , 9 0 7 ,a„d 9 09a K 

shown To access the Interne, 9,3, user station 9, , initiates a _ica,ions session w,th the 

aatagrams, which enter the ,SP network 90, te ou g h ed g e rontcr 905. These packets arethen 
f orwardedUuot lg ho„eor m oret,ansi,routers ( „o,show„)withi„,he,SPne W ork90 1 , 
nltirnatelvreachinged^ router ,07, which in, urn forwards, he packets to unCntemet 9,3. 

Assume now tha, user station 9,5 wan. to prevent user aation 9 „ front accessin g the 

,CMP echo (PFNG) ttafftc usin g ,he directed hroadcas, addresses of previous* discovered 
S of , h eusers.,io„9„,which m «scaseis*evicum. According a„of,he hosts connected 
9 n,w i ,,rep, y ,o.he 1 CMPech„re,ues,s.A,ar g e P uh,icne W orksuchas,he,»,ernetservesa» 

has is to notify the ISP of the service disruption. 

As seeninFi g ure9,anattacker9,7 m av reside within another network. User st, I on9,7 

. „i „^vork 919 which is connected to ISP network 
initiate a flood attack through an external network 9 19, wn 

9 „,viaed g er„u,e,903. E x,erna 1 „e W ork9,9mavhe,on g toa»o te r,SP,whichhasa 
^eContCCntemet^Cnotshown^nderthiscircumstan ee, ISP of network 90, a,. 
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extern, network 9i9 that one of its subscribers i. — a packet flood a«ack. 

In .cognition of this prob.em, ,SPs have deveioped various solutions to ehminate or 

theI SPne W or k 90,, W hic hi »cMes tt ansi,r„uters( n o,sho™)a„de dg erou,ers903,90 5 , 9 0 7 

^^^^^^^^^^^ 
BP *-•»'-•*■•*- , --* ,, " 

^astheirntainpurposeistoforwardpaCtsat.e— 

^p^^.P— to-** attacker after si g ni„can, danta g e has 
^occurred. ,„ other words, the flood a„ack ma y he over h y the time the ,SP is a W e to 

,„ P ut debug g ing is performed on the core network. 

flood attacks. 



routers. 



There is also a need ,0 minimize operationai risks .0 me network, 
by using existing hardware and software, 
flow of legitimate traffic. 

software infrastructure is highly desirable. 

SUMMARYOFTmiNyMI^ 

servi ce (D oS) floods. Th eme t noaeomprises rer on t in g aflooaa tt ack t oa tt ackin 8 r„u t e, * 
tracktag ronter forms an over,, trackins network - — - — * "~ * 

^u**^*--^ tota, - , ^' , ' , ' , '* ,, ~" 

danism to counteract denial-of-service flood attacks is minimized. 

According, another aspect of the invention, a— ation system for <rackin g 

„dane g res S ed g ero U ,e, E-ofti.eed.e^rsiscon^edtoperfo™^ 

^^^.^•«*--- < — 1, ■ , *-• d,, " - "" 

— — A - I, • ,B * , *"' ,, * - 



by utilizing standardized protocols and equipment. 

^uencesofoneormore — s f or ,ra*n 6 deni^serviee flood, The one or more 
„so f oneormoreinstruc,io „ s i„ cl ude instructions wKic, when executed by one or more 
p.ocessors.cau.etheoneormoreprocessorstoperformtHestepsofreceivinsada.sram; 

8 associated^meDoSflooda.c, This approacK adva— enaHes tKe ideation of 

3 tol ^.*«~.^^ M ^^^ i ^ ,, " ,towrf 
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legitimate traffic. 



BRIEFDESCWPimQFIH^ 

there o f wiU^^^ 
foUowingdet aile dd escnptionw h e n — 

20 wherein: 

^rensadiasramofanove^trac^networUnaccordancewithanembodmren, 

of the present invention; 
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the system of Figure 1; 
one embodiment of the present invention; 
according to one embodiment of the present invention; 
accordance with one emWiment of the present invention; 
1 tunneling according to the system of Figure 5; 

accordingtomesystemofFigure5; 

PignreSisahiocMiagramofanc* — of a genera, route—, he 

system of Figure 5; and 



ill 



^ flood attacks. 

20 .ordertoprovdeathoroughunderstandingofme— . However, it ^ ^ - 
obscuring the invention. 



^p^ — p.ovMesav.uaMeso^fo^e^ofDoS flood anacKs 

^^^^^ 

if, performing the necessary diagnostic functions. 

I Although the present invention is discussed with respect to an Interne, Protocol (>P) 

s ^^^^^^^^^^ 

k present invention has applicability to other communication protocols. 

1 .epresentinventton. The netwo* ,0, of ar,,nte m e, Service Provider OSP) rncludes nrany 

20 ^tope— throughapac.ts.tchednetwor, As sho^.SP networUOl 

^„p-«^«---«•"--■ ,05 •■ P,,, ^ ,0, ■ 

As ar=cipient„f,heDoSf,oodat a cMa tog ran 1 s,suhsc rite ,05a,surnes*ero,eofv 1 c« m . 
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^-.*»*-.— floodattackstoa 

^~«^■ , ~■"* ,,,0,,,^ • ,,, * , 

vic « ml 0 5 a reSh o W „..n« US — a«ac k e rl 03ae Sir es t oae» SS e r v iC e t ov i c timl 0 5by 
la „ nchtagas e ri e S o fp ac k e tfl0 oa a nac. to ou gh as y s ttm o tr o Ut e rSWithi n„e t w Mkl Ono 

victim .05, thereby saturating the conation 107 of victim 105. 

i mi That is external routers (not shown) belong to a 
whicharenotapartofthelSPnetworklOl. That is, extern 

♦ i no 1 ? 5 are further classified according to their 
subscriber or another ISP. Backbone routers 109-125 turt 

, t lOQllUBandllSarebackboneroutersthatareadjacenttooneor 
adjacency. Edge routers 109, 111, H3,an 

♦ n< A tracking router 125 is logically 
type of backbone router is defined as a tracking router 125. A tracking 

adjacent to edge routers and other tracking routers (no, shown). 

..present — . An adjacency between a ^.router 1,5 and an edge router 10MU, 

teofFisurel an ISP network 101 is assumed to receive attacks outside 
adjacency. In the example of Figure 1, an . 

■ t „ victim 105 that is outside the network 101. 
, ftenework 101 in which the attacks are targeted at a victim 



edge adjacency; which, in this scenario, is edge router 109. 

SuhscriheriOS.asa^er.iaunchesDoSflooda.rac.susingho^sourceaddrcssesso 

^^^^•^^^^^ 

Vic,im,05_ica,e S its service disrupUon ,o the ,SP, which mus. resrore service by 

, ocat i„g t hea tt ac tel 03andredirec t ,„g*eho g ustra ffl cawa yf ror„ t Hev i c nml 0 5 . 

ne w „et„ork 1.1 identifies an attack signature ofthe atiack launched* i03. A«ack 

■ . ■ Ao&nrA hv the IP address or address range 
norma, traffic. At the very leas,, an attack srgnature ,s defined by 

of the victim 105, which is being attacked. 

^esystemofngurel.trackrngrouternsrormsanover.ayne.workwithed.erouters 

, t • tn ISP network 101. According to one embodiment of the present 
the packet flood attacks into ISP networK iu.. 

, debugging, .nputdebuggtngreferstothediagnosticfeaturesthatdeterrninethe^encytha, 
aatagrams.A.ckinghop.sdefutedasoneusageofinpntdebuggingonaparticnl.route, 
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dintermsoffte maximum hop diameter of the 

— * d —""' 8 ^^.SPtoexpedtently 

detenntae the ingress edge router. „„,ers 109 Ul, U3 and U5 are 

, „ m „ter 125 and the edge routers i 
blinks 127 betweentrackrngrouter 12 ^ 

, iM ,„anembodime»tofthepre S e».mventton. Ate. 
logi callPhmne,s,accord ^ ^ 

^^^ae^physicaleonnecttonsorvrt ^ 

i v the virtual connections may be over a y 

protoro , .ptunnels^asbo.dhn ^ u5>eIpmm e,s are isolated 

Because IP is supported by all edge routers ^ ^ ^ | ^ advantageously reduces 

io,r tracking network, as wen a* c 
comple xity of the overlay trackmg t a memod known as hop-by-hop tracking 

.■ „f me overlay tracking network, a method Kn 
Uponcreatronortheo > ^^H***-- 
, s emp,oyedtode,ermine,he,ngresse, ' — 

109. Ill, 113, and 115 as well as tracking 

^approachisfurdrerde.iledinFiSU^.below. ^ 

^fthphon-by-hop input deDuggnig v 
Rg ure2showsaflowd.agramof«hehop ^dllSis 
„ fFtaurel Becauseeaehedgerouterl09,lU,"3, 
by the overlay tracking network o»g ,,„ m 113 and 115 can identify 

^dw.secu.tydiagnosUc— ^ ^ t „,e , 

c V^ed upon the attack signature, lunung 

Fig u,el,egressedgerou,er,09,sde 
^rformedby the vicUmor tools employed by men 
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• ,„ „hthe overlay network to the egress edge router due to a 
rackets destined for the victm. through the overlay 

P t .iiv Hoes not receive this update, ignores 

^namicroutingupdatcThccgressedgerouterspecficaUydoesnotre 

v .<„ The result of this is that all packets rcce.ved 
th eupdate,oro.herwisedoesnothonoru,eupda,e.TheresuHo 

by edge routers 111, 1 1 1J u 
125 to the egress edge router 109. 

v • then used starting with the tracking router closest to 
Thereafter, hop-by-hop tracking is then used, start g 

117 7 Next tracking router 125 determines whether a DoS 
this example, checks all the tunnels 127. Next, tracK g 

. ho , b , hoptt ackingsche m e. step M5 and suhse^uen, steps are rented as «any 

♦;i the ineress edge router 1 13 is located, 
times as necessary until the ingress cug 

.eahove^odof.gure.providesane^e — onea.ckerlOS.o.ver, 



- 12 



^^^^^^^^^ 

individual attacker lacks the resource, to launch an effective attack. 

B*„^<W — — ~ * — 

— ^-~- A,ta * B0P,,<,,-ita * 

1-ll ^^«t.-^---'*^' , - 0 - -, '"* h ' 

^*^^«~^ — "-^^^^ 

U7 119 .^.audna^FiSuteDatenotshowntosintpH^ediastam. Theover,a y 

links to the edge routers 109, 1 11, 113, and 1 15. 

C tracking adjacencies, then the nu.ber of tracking routers (*C> * - 



A , C=[(C+ 1 ) -((C+1) ! -4N£)'°1'2 



1/2-1/9 Eq. (1) 
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* u^fPimirel Fieure 4 shows an overlay 
to the native .0 the Ml mesh overlay network ot F.gure 3, F.gur 

^estoa^lese^leveltrac^router^. ^sincreases.e diameter of the 
tracking router, C, can be calculated according to equation (2): 



em bo di mento f ^ 

t snQ 523 intermsofdynamicroutingpolicy. An autonomous system is a 
the backbone routers 509-523 in terms 01 y 
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Assh „ wnta P igUre5 , A S 5 OH„c ta ae Stra c.n gr o Ut e r s 5 0 5and5 0 7 ,w hil e A S50, 

. . M7«nd523 areat,herx>ttomlevelofthehierarchy. 
transit router hierarchy, and trans,, routers 517 and 523 are a 

— »-»l.- ^ -^■'»-•-*---■-■ 5 *. 5U ■ 
5H- „,-— ta -*^ to< ^ ,,, * ,, •■ ,,,,, * , * ,-, ", 

Once— s52 5, 52 7, 5M ,53,,an d5 3 3 a« b „in,an I n,eriorOa,e W a y Pro,oco 1(1 aP), 

„ , 525 527 529 531,a„d533. tb. IMS intradomain routing exchange protocol 
about the tunnels 525, 511, ^ 1 > 

, — Bec " ; ng d 
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a ,1, , nop does not have to rely on the availability of a 
That is, the loop back interface is used so that BGP does 

^interfacefotestabhshtnsTCPCT— on Con tt o, Ptotocol) co^teettons. BGP 

n-cs.Sn^^apathtothedestinatton 

RaP constructs a loop free map of the 
network. Based upon this routing mformaUon, BGP constru 

autonomous systems 501 and 503. 

^^^^^^^^^ 

„ w515 Thcs t a«icrou,eon*ee g ressedgerou,er515«kesp K cede„ceover 

on the egress edge router 515. inesxdi 

• + u muter 515 to continue routing traffic 
.he route from the overtay tracking network, causntg the edge router 
, to te victim535. W«e ««c tontes ht place, a new pa, is ctca.d W - ovetlay ^acktns 

closest to the victim 535 to find the attacker. 
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Fig ure 6 illustrates the interconnection between two tracking routers using IP «— in 

, un „e, 5 2 5 eonapsesanabeco m esnse 1 ess.Top re ve„tco 11 apseo ft unne 152 5,n is neees S a ry «o 
ensure that no tunne, —on address can be announced through the tunne, 525. Thus, 

network are to be routed directly out of a tracking router's physical interface. 

For this re***, tunne! interfaces are numbered out of a distinct add«ss range (i.e., tunne, 

^erfaceSOTandaprimaryioopbackinterface^. ,„ both cases, the overlay loop back 
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^Kf-rpd This reachability for the 
loop backs is established over the tunnel 525, which is not numbered. T 

Oncethetrackingrouters 505 and507ofAS50 

M - „ TRGP sessions with each other over tunnel 525 
♦ « sns and 507 establish IBCjF session 

,,, ' i *Trr.-.».---»'-— 

aboutthepnmary loop backs 6 loop backs 603 and 605 by filtering the 

^P.prevented^annouu^thesepnmaryioopback 

Figure 7sho»sa t un«elcon»ectio»be,wee»atrack 1 »g 

• ,;„„ After the tracking routers 505 and 507 are 

— — — ^Z!^— — — 
— — — 

toatrackingrouterusmglPtunnels. Edge rout er 509 has 

• mot, backs are used as termination points for the tunnels, 
^.pnmaryloopbacks For the edge routers, reachability 

i innn back 701 as well as a primary loop back 
« an overlay loop back 70 Once the overlay loop backs are 

« , ,non backs is established using static routes. Once the 

* for the overlay loop backs 

PR rP sessions are established between edge router 
known, EBGP sessions „n«a router 505 and edge 

a l«n exists between tracking rouxer 
u w *m and 701. A static route also exisis o 
overlay loop backs 601 and 

u w and 703. The overlay tracking network 
r0 uter 509 via primary loop backs 603 and ^ 

H from an edge router; however, edge routers accept any 
20 .yroutesthatareannouncedfromane 

i ■ ™k setting the local preference high to force tn 
the overlay tracking network, setting 

overlay tracking network. 
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r qa7 cnrh as a random access 

„ „«. 80, Art- ^ a ,ead on* -»T ^ 

fo , stori „ g —on -d — ns. 

E^^e^edtCheuseofco^ersyste^OUo^ec , 

— — — *— ■ 

0 flood attacKaa g nrncess0 r 805 executing one or 

—sis provided by co-nputersys^BOUn response «o pressors 
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ai circuitry and software 

J! 



I1J 



•3 3 



20 



Transmission med.a can also take me io 

d„ri„ g radio wave and infrared data con—ions. 
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vmous _ of — - - - — - -~ ° M ° m °; e 

compu ter can load the — _ ^ ^ ^ ^ . 

A, m A modem local to computer system 801 can 

^tnedatatoaninftaredsignal. 
use an infrared transmitter to convert the data 

to bus 803 can receive the data ^ 

807 from which processor 805 retrieves an 
carries the data to main memory 807, from v 

S .eviceSUeitebeforeorafter — by processor 805. 

- Co^rs^SO.a.so^-P— urn, 8,5 coup. <o bus ~™ 

1 , the IP network 823. For example, ****** - 815 

nework m t „ nicafcn 

• ^rfare card to attach to any pacicei :>wu 

. s . SONET(Syncteonous Optica! Network) (e.g., 

.work using the following exemplary mterfaces. SONET (byn 
network using tn M „ to (25Mbps, 622Mbps, etc.), 

OC 3c OC-nc, OC-48C etc.), ATM (Asynchronous Transfer Mode) (25M 

. , a ISDN (Integrated Services Digital Network), 
nm DSL (Digital Subscriber L.n=), and ISDN (Integ 
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. . ^rr>r\c 617^ to other data 
„ „h one o, move networks (i.e., <he pnvate network 617) 
— icatvon through one „agne,ic 

«+ nf the private network 617, use eieu 
devices. Networks, which are a par. of 4= P ^ 
• , • a ,s*a, carry digita, data stream, Ue signals through the vanous 

or opt.cal srgnals that carry it 8 , 5 whic h carry the digital data to 

, r i,Mlandthroughinput/outputumt815,wnlcnc 
the signals on network Unk 821 <* ^ fte 

. sni are exemplary forms of carrier w 
and from computer system 801, are 

inf0imat '°" d messages and receive data, inc.uding program code, 

+ tv^ tracking routers. Using security m & 

a the tracking routers identify Dob noou a 
,heedger0Ute l leinglssedgerouter.Theseda.gramsare.amineda.ddroppedor 
debugging.odetermmethemgre epIocessof determining 

.Hemgressadjacencyofafloodattack, ofthepresent Invention are possihle in 

Ohviously.numerousmodrficationsandvanauonsofthepres 

, , nisthereforetobeunderstoodthatwithinthescopeofthe 
lightof.heabove.eachmgs.It.stheref s SDecif , ca „y described herein. 

app£n dedc to ms,«he,nven,ionmay.prac,,cedo ro erw,sethanasspec,,y 
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